Tough New Cyber Standard Validates Security of DoD Contractors

With the release of the Cybersecurity Maturity Model Certification, the time for systems integrators and other contractors to evade compliance with cybersecurity mandates has finally run out.


April 01, 2020  Darnell Washington  

On Jan. 30, the U.S Department of Defense (DoD) released the first iteration of the Cybersecurity Maturity Model Certification (CMMC) framework, which requires DoD contractors and subcontractors to obtain third-party certification of their cybersecurity maturity.

The DoD, Department of Homeland Security (DHS), the National Security Agency (NSA) and NIST have struggled for years to protect the supply chain, as well as threats from nation state and domestic attackers that continue to gain adversarial power against U.S. cybersecurity defenses.

Now, under the recent release of the CMMC, the time for systems integrators and other contractors to evade compliance with cybersecurity mandates has finally run out.

Security integrators that previously absconded their ability to address cybersecurity controls within their product catalog in the past now have to establish compliance with a federal standard that finally has teeth.


Related: DHS Urges Public to Guard Against Coronavirus Charity Scams

Under the regulation, if integrators provide services to the DoD, their organization can no longer assert that they have required security baseline controls in place using self-attestation or self-certification.

Beginning in June, the U.S. government and the DoD will select qualified, highly skilled cybersecurity auditing firms and professionals under a new program using the CMMC. The CMMC ranks organizational cybersecurity under a set of standards that are in-place on a rating scale of 1-5. (View program details at

The CMMC highlights the growing concern among U.S. national security officials of possible cybersecurity breaches and data incursions from Chinese security and telecommunication equipment manufacturers. According to the Justice Department, more than 80% of economic espionage cases brought by federal prosecutors have involved China since 2012.

Several manufacturing organizations, distributors, systems integrators and consultants have felt the bite of regulations and unfunded mandates. Many companies have grown resistant to change until published mandates force them to take specific actions that cause disruption to product roadmaps, increase product costs and labor to maintain compliance.


Related: ADT Study: 92% of Consumers Trust Smart Home Integrators to Protect Data

The DoD has recognized that cybersecurity is foundational to acquisition and should not be traded along with cost, schedule and performance moving forward.

These “pre-validated products” and future request for proposals issued by the DoD, GSA and other federal agencies will now come to contractors in the form of the CMMC certification level. The DoD now allows cybersecurity assessments to be an “allowable expense” in providing contracts for award under the Defense Federal Acquisition Regulations (DFARS).

Some of the benefits provided by the CMMC will eventually flow down from DoD-related contractors to regulated industries and critical infrastructure protection sectors. End users will now have the ability to select government-validated products that have been verified by certified independent third-party CMMC auditors.

These auditors will understand the risk profile of a contractor’s organization and assess the state of security within that organization based on a minimum cybersecurity control baseline rated on a level of 1-5. If a contractor’s product is not verified at the appropriate conformance and certification level, the solution will not be able to be bid or maintain funding to support ongoing maintenance and operation of a non-CMMC validated system.

The CMMC has been peer reviewed by collaborators from industry and academia, including SecureXperts, and found this program to be a great step in the right direction. The CMMC provides a model that can be implemented, is sustainable, scalable and meets the necessary objectives for protecting information technology assets within every type of computing environment.


Related: Expert Advice for Installing Security Contractors to Offer Cyber Services

Stakeholders can expect this new mandate to be extended to federal and commercial organizations that provide mission essential services or protect key critical infrastructure assets within the U.S.

Stiff fines and even jail time can be expected for those organizations that do not comply or skirt mandates procedures under the false claims act.

Self-assessment using the CMMC guidelines is a great way for contractors to examine their current compliance within the organization and identify initial gaps. Once contractors have an understanding of the CMMC requirements, they should get ahead of the curve by working with a reputable cybersecurity firm that can properly evaluate their organization.

Darnell Washington is President and CEO of SecureXperts, an information security technology and consulting firm.

Related Articles

Darnell Washington

Senior Consultant & Author

Mr. Washington is an industry recognized expert in the implementation of commercial security solutions for monitoring, identifying, and reporting on unauthorized activities in enterprise computing environments.